Articles and video

You may find it helpful to read our articles on Windows security and password recovery examples. Video section contains a number of movies about our programs in action

DPAPI-NG in Windows 8

posted by Passcape_Admin at 15:45:37 24.08.2012

The Data Protection Application Programming Interface is a cryptosystem designed by Microsoft and built into all versions of Windows operating systems since 2000. DPAPI exposes advanced symmetric and asymmetric encryption algorithms that developers can utilize to sufficiently protect information. At the time of it's release, it was truly revolutionary for the following main reasons.

It enabled developers to adequately protect user data for the first time on Windows without being concerned about the problem of key management.

In the underlying design, it featured future adaptable parameters that increases resistance to cryptanalysis by equally increasing power of computers.

Strong cryptographic features yet simple to implement for most software developers.

DPAPI was problematic for attackers/forensic analysts because DPAPI data could only be decrypted on the system and under the account where it was encrypted.

However, with the release of Windows 8, Microsoft decided to change the situation by releasing a new-generation DPAPI named (guess!) DPAPI-NG. The main revision is that DPAPI data from one computer can now be decrypted on another - but, according to Microsoft, "only after proper authentication and authorization"

No explanation has been provided and one can only speculate as to the reasons for this major revision. (perhaps it relates to migration of user or system data in large corporations? - Ed.) Microsoft lists ten new functions part of DPAPI-NG and naturally, the storage format, has changed too. The protected data is now stored in the ASN.1 format and consists of three parts:

Header with description

Recipient data containing a secure encryption key

Actual encrypted data.

The following chart illustrates how it all works.

What isn't clear is why Microsoft with such stubbornness has been trying to grasp the immensity, combining the data protection and storage interface. In fact, simple and convenient API for storing private data is what has been missing in Windows throughout its life. With the release of Windows 95, Protected Storage, with all its flaws, by a long stretch of imagination, could be named such, although using the registry for these purposes, putting it mildly, wasn't such a brilliant idea. In Windows 7, we've got a new closed interface called Windows Vault. But it doesn't have, for example, functionality for data synchronization and migration, working in the cloud (the new interface DPAPI-NG has actually been created with an eye to the popularization of cloud computing), etc.

Software developers have been starving for such interface, as they often have to store secret data - e.g., encrypted with DPAPI - left and right. Let's hope that with the release of Windows 9 the situation at last will change for the better :)